Most information security professionals (and many IT lackeys) think of security from the outside in. In other words, they worry about attackers hacking into their company but rarely focus on the internal threat.

Tonight I was discuss with my girlfriend how she could hack "out of" her company. You see the company has come under new IT management who have restricted her access to browse the web. Sites such as are blocked along with, but strangely enough so are sites that have the word "mail" anywhere in the name.

Not knowing how the network was locked down we began to theorize about how she could get outside the company. We know that some kind of web proxy is used because when she tried to visit the verboten sites a friendly, "Ooops…" message appears.

If the company is locking down users properly then the individual workstations should not have any direct access to the Internet. Instead they should only be permitted to access a proxy server, which in turn will be allowed to access the Internet. If this is the case then there is no breaking out of the company.

But… if the workstations could potentially access the Internet directly, but the browser is configured to auto-detect a proxy server (potentially through DNS via DHCP) then there are ways.

If on the other hand, the network administrators are sloppy geeky, they may have allowed certain outbound protocols (such as smtp, pop3, imap) so they can access their own servers on the Internet. Let's see what we can try…

  • Use Netcat (nc.exe) to probe posts and determine which the workstation can access directly through the firewall.
  • If port 22 is open, SSH to a host on the Internet and tunnel all other protocols through.
  • If proxy server leverages DNS then hard code in your own (external) DNS server.
  • Install Tor ( and run locally accessing the Internet via the corporate proxy server. Leverage the Tor onion-routers to tunnel sites such as those with "mail" in the name.

What are some other ways to test and then hack your way out of the company?